AI Incident Procedure

AIAdopt, version 1.0

In force: 21 April 2026 · Next review: Q4 2026

Why are we publishing this document?

An AI Usage Policy without an accompanying Incident Procedure is half a governance practice. Policy describes how we use AI, this procedure describes what we do when it goes wrong. We publish both together, because together they form one working whole. This is not a marketing document, it is our internal working procedure. Anyone who wants to see how a sole proprietorship sets up workable AI incident handling can read along here.

1. Document control

•Document: AIAdopt AI Incident Procedure

•Version: 1.0

•Status: In force

•Effective date: 21 April 2026

•Next review: Q4 2026 (and annually thereafter), as well as after each triggered incident

•Owner: Rob Ummels, founder (incident manager)

•Linked documents: AIAdopt AI Usage Policy v1.0, AIAdopt AI Tool Inventory v1.0

•Legal basis / reference framework: GDPR Articles 33 and 34, Article 73 EU AI Act insofar as AIAdopt acts as a provider of a high-risk AI system

•Voluntary commitment: EU AI Pact Optional Commitments on risk management

2. Purpose

This procedure describes how AIAdopt handles incidents involving AI tools, insofar as they are used by or on behalf of the organisation. It exists to detect incidents early, contain them quickly, report them where the law requires, and learn from them. The procedure supports the risk-management commitments under the EU AI Pact and the legal obligations under the GDPR. Article 73 EU AI Act is included in case AIAdopt acts in the future as a provider of a high-risk AI system or otherwise falls under an AI Act reporting obligation.

3. What counts as an AI incident

An AI incident is any event in which an AI tool used by AIAdopt produces, enables or fails to prevent a result that is harmful, unlawful, materially incorrect or contrary to the AIAdopt AI Usage Policy. Examples:

•Entering personal data into an AI tool in a way that breaches the GDPR or the AIAdopt AI Usage Policy.

•External publication of AI-generated content that is factually incorrect, misleading, discriminatory, or infringes copyright.

•Use of an AI tool outside the AI Tool Inventory for operational work.

•Unexpected behaviour of an AI tool that causes disruption to the AIAdopt platform or its services.

•Misuse of the AIAdopt training platform with AI components, reported by a learner or client.

•Any event that qualifies as a serious incident under Article 73 EU AI Act (see section 5).

This internal definition is deliberately broader than the legal definitions of a personal data breach or of a serious AI incident. Not every AI incident handled under this procedure is automatically subject to a legal reporting obligation.

4. Severity levels and minimum response

Each incident is classified on a four-level scale. The classification determines the minimum response. The founder may always escalate a level if the situation warrants it.

Level 1: Minor

Examples: AI output with a factual error that has not been published externally; a small bug in an AI-generated code fragment, caught during review.

Minimum response: Record in the incident register. Correct. No external action required.

Level 2: Moderate

Examples: Externally published AI content with a factual error or misleading statement, discovered after the fact. Use of an AI tool outside the inventory by a third party acting on behalf of AIAdopt.

Minimum response: Record. Correct the publication within 48 hours. Update the inventory. Internal root-cause review.

Level 3: Major

Examples: Personal data of a natural person has been entered into or shared with an AI tool in a way that may constitute an unauthorised disclosure, unauthorised access or other breach of the GDPR. An AI-generated decision has affected a specific individual (for example an automated rejection) without human review.

Minimum response: Record. Immediate containment. GDPR Articles 33 and 34 assessment within 24 hours. Notification to the GBA (Belgian DPA) within 72 hours if the threshold is met. Inform the client or controller without undue delay if client data or personal data processed on behalf of a client is affected.

Level 4: Serious

Examples: Serious incident under Article 73 EU AI Act: an incident that directly or indirectly leads to death, serious harm to health, serious and irreversible disruption of critical infrastructure, a breach of obligations under Union law intended to protect fundamental rights, or serious harm to property or the environment.

Minimum response: Record. Immediate containment. Notification to the competent authority under Article 73 within the applicable deadline (see section 5). Full investigation. Communication to those affected, clients or the public where legally required or necessary to limit harm.

5. Serious incidents under Article 73 EU AI Act

Article 73 EU AI Act defines a serious incident as an incident or malfunction of an AI system that directly or indirectly leads to:

•The death of a person, or serious harm to a person's health.

•A serious and irreversible disruption of the management or operation of critical infrastructure.

•A breach of obligations under Union law intended to protect fundamental rights.

•Serious harm to property or the environment.

The standard deadline under Article 73 is as soon as possible and no later than 15 days after the causal link, or the reasonable likelihood of it, has been established. Shorter deadlines apply in specific cases, including no later than 2 days for widespread breaches and no later than 10 days in the event of death. The founder assesses each incident against these criteria and escalates in case of doubt. Where it is uncertain whether a case qualifies, legal advice is sought as quickly as possible, without jeopardising the applicable reporting deadlines under the GDPR or the EU AI Act.

Based on the current AI Tool Inventory, AIAdopt does not currently deploy any high-risk AI systems. Article 73 is therefore unlikely to be triggered in ordinary operations. This procedure nonetheless includes Level 4, to be prepared if circumstances change.

6. Response workflow

The following steps apply to every incident, regardless of severity level. The scope and urgency are tailored to the level.

Step 1: Detect and record

As soon as the founder becomes aware of an incident (through own observation, client report, third-party report, or platform alert), the incident is recorded in the AIAdopt Incident Register with: date and time of detection, description, AI tool(s) involved, data involved, initial assessment of the severity level.

Step 2: Contain

Immediate actions to prevent further harm: stop the operation that caused the incident, revoke access to the tool involved if relevant, remove or correct published content, isolate affected data, preserve evidence (logs, screenshots, prompt history).

Step 3: Classify

Within 24 hours of detection, the founder assigns the definitive severity level and documents the reasoning. In case of doubt the higher level is chosen, pending further investigation.

Step 4: Notify

Notifications follow the minimum-response matrix in section 4. Those affected are informed without undue delay if their personal data has been affected in a way likely to result in a high risk to their rights and freedoms. Clients are informed if their data or service is affected.

Step 5: Investigate and document

For Level 2 and above, a root-cause analysis is documented within 14 days, covering: what happened, why it happened, what was done, what the impact was, what is changing to prevent recurrence.

Step 6: Learn and adapt

Findings are incorporated where needed into the AI Usage Policy, the AI Tool Inventory and this procedure. Each change is dated and appears in the next version of the document concerned.

7. Contacts and escalation

The following contacts are maintained for incident response. The details are verified annually during the Q4 review and updated immediately if a contact changes.

GBA (Belgian Data Protection Authority)

For: Personal data breach notifications (GDPR Art. 33).

How to reach: [email protected] · +32 2 274 48 00 · www.gegevensbeschermingsautoriteit.be

BIPT / competent Belgian AI Act authority

For: Serious-incident notifications under the AI Act.

How to reach: To be confirmed per incident type and national implementing rules. Until confirmed: consult the AI Act Service Desk and the current BIPT information page.

Provider of the AI tool involved

For: Tool-specific incident reports, data deletion requests.

How to reach: In accordance with the applicable provider terms (see AI Tool Inventory).

Affected client

For: Direct notification if the incident affects their data.

How to reach: Via [email protected], based on the client contact details.

Legal adviser (ad hoc)

For: Incidents with legal, regulatory or reputational consequences that go beyond routine handling.

How to reach: Engage external counsel at Level 3 or 4.

8. Incident register

AIAdopt maintains an internal register of all incidents, regardless of severity. The register is stored in a protected location accessible only to the founder (and any successor). Each entry contains:

•Incident ID (sequential, format INC-2026-001).

•Date and time of detection, date and time of occurrence if different.

•Severity level and reasoning.

•AI tool(s) involved, data classes involved.

•Description of what happened.

•Actions taken and dates.

•Notifications sent and to whom.

•Outcome of the root-cause analysis.

•Changes to policy, inventory or procedure as a result.

The register is kept for at least 5 years from the incident date, unless a longer retention period is necessary for legal claims, statutory obligations or ongoing investigations. Personal data in the register is limited to what is necessary for incident handling, evidence and compliance.

9. Training and preparedness

•The founder reviews this procedure at least annually and simulates a Level 2 response once a year as a tabletop exercise.

•Any future contractor or successor with access to AI tools used by AIAdopt is briefed on this procedure before operational use.

•Changes in the Belgian national implementation of the EU AI Act (expected in 2026) trigger a review of section 5 and section 7.

10. References

•AIAdopt AI Usage Policy v1.0

•AIAdopt AI Tool Inventory v1.0 (internal document)

•Regulation (EU) 2024/1689 (EU AI Act), Article 73 and the recitals on reporting of serious incidents

•Regulation (EU) 2016/679 (GDPR), Articles 33 and 34

•GBA (Belgian DPA) reporting procedure: www.gegevensbeschermingsautoriteit.be

•EU AI Act Service Desk: ai-act-service-desk.ec.europa.eu

Approved by:

Rob Ummels, founder, AIAdopt

[email protected] · https://aiadopt.eu

Place and date: Maaseik, Belgium · 21 April 2026